SECURITY REPORT - About Keysight
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2019 SECURITY REPORT
TABLE OF CONTENTS
01 02 03
Introduction The Ixia Application Top 5 Security Threat
and Threat Intelligence Insights from 2018
Page 3
Research Center
Page 9
Page 6
04 05
Security Watch List Conclusion
for 2019 Page 31
Page 27
2
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
SECTION
01
INTRODUCTION
Welcome to the third annual Security
Report issued by Ixia, a Keysight business.
Each year, the Ixia Application and
Threat Intelligence (ATI) Research Center
summarizes the most interesting and
prominent internet security trends. We
analyze ATI data to help organizations
understand where they can improve. We
also analyze the data to predict the biggest
hotspots for the coming year. In all our
work, we aspire to help cybersecurity
professionals strengthen their security
posture by sharing knowledge of active
exploits, new and old.
3
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
The Top 5 Security Issues from 2018
• Poor or lacking product security exposed
businesses to additional risk
• The human attack vector, via Phishing and Malware,
remained reliable
• Poor cyber hygiene continued to persist year
after year
• The good intention of sharing product vulnerability
information actually led to more attacks
• Crypto mining/jacking continued without abatement
4
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
Key Observations
In 2018, we observed many successful attacks based on historic
A
vulnerabilities. Legacy attacks dating back to as far as 2009
remained effective. Hackers successfully compromised systems
when the systems were unpatched, or because no patch was
available for a legacy system. Widespread availability of
exploit software that targets well-known vulnerabilities also
contributed to the phenomenon. Bad security hygiene, in the
form of default login and password credentials, also contributed
to the problem.
B
Public cloud architectures created a second vector for new
security attacks. Both home-grown and commercial software
packages exhibited vulnerabilities. We categorize these into
two basic groups: code vulnerabilities and configuration
vulnerabilities. Misconfigured security and access policies
were a major source of data breach in 2018.
Beneath the threats observed lies an unavoidable truth:
C
Network and application complexity pose serious security
threats. Complexity continues to grow within enterprise and
service provider IT environments. This growing complexity
is creating new security vulnerabilities every day. Thwarting
security attacks starts with a continuous commitment to
security best practices. Tools augment your ability to mitigate
threats, but only security best practices can prevent them.
5
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
SECTION
02
THE IXIA APPLICATION
AND THREAT INTELLIGENCE
RESEARCH CENTER
Ixia’s strategy starts with an elite team of
dedicated cybersecurity professionals that
form the Ixia ATI Research Center. This
globally distributed team works around
the world and around the clock from
locations like Singapore, California, Texas,
Massachusetts, France, Romania, and India.
They monitor and analyze the ever-evolving
indicators that could threaten the security
of IT networks. The team distills that
knowledge into research and rule sets. We
incorporate these insights into Ixia solutions
to maximize your ability to detect and
combat the latest threats.
6
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
The ATI team also contributes to the larger security In many cases, the team can go from discovery
community. The Ixia ATI team shares what it learns to an Ixia product update within a 24-hour period.
with vendors that have been hacked, private agencies
Input to the research process comes from
(e.g., www.mitre.org), government agencies (e.g.,
many sources:
NIST and DARPA), and at global security conferences
• International exploit databases
such as Black Hat and RSA. Ixia also promotes a
summer security school in Bucharest, Romania, to • The Dark Web
help train new security engineers.
• Scan of security news alerts and crowdsourcing
The ATI team assesses and validates products that are
meant to secure the enterprise. The team serves as a • Twitter handles of other security researchers
front line of defense, monitoring internet-connected • Partner feeds
products and analyzing observed behavior to discover
exploitable weaknesses in any vendors’ product. • Honeypots actively looking for attacks in the wild
Security alerts and incidents happen all hours of the • Independent research (testing and reverse
day and night, so the team takes a follow-the-sun engineering) by the ATI team
approach. Dozens of engineers combine to form a
single global team that can create and disseminate the
latest security intelligence.
7
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
Members of the team constantly poll multiple Ixia’s ATI threat intelligence feed incorporates data
sources to get insights into vulnerabilities. They in a way no other provider offers. While others in the
normalize, correlate, and organize the data to get a industry create automated intelligence platforms
clear direction on the threats and how to prioritize or open source feeds, those solutions are generally
them. Team members then investigate the threats tailored to provide insights related to specific
and either validate or dismiss them. They research products in a vendor’s portfolio. For example, a feed
everything to make sure that the threat detection and from Microsoft may focus on vulnerabilities related
prevention content deployed in our products is 100 to products and threats relative to the Microsoft
percent correct. This deep research also gives them portfolio. Ixia threat feeds look at the internet on
the utmost confidence in our data and predictions. a global scale, and provide actionable intelligence
based on internet-wide telemetry.
The BreakingPoint company established the ATI team
in 2005. Ixia acquired BreakingPoint in 2012. The ATI intelligence takes the form of a “rap sheet.” A rap
BreakingPoint solution is a security attack and traffic sheet captures threat intelligence via a proprietary
generator that network equipment manufacturers, database of known bad actors or offenders. The
service providers, governments, and enterprises database is constantly updated, providing real-time
use to validate network and security resiliency while actionable threat intelligence. The team validates
under load and attacks. Generating traffic using blacklisted sites continuously, updating the database
threats based on real-world research is just one to ensure new threats are tracked and false positives
way that Ixia and Keysight help harden solutions for are removed. Automated rap sheets provide updates
applications as diverse as automotive and Internet of as often as every five minutes, delivering the data in
Things (IoT) solutions. real time to Ixia visibility solutions.
The ATI team serves as the
guard to security guardians -
challenging others in the industry
to improve their product security,
and constantly monitoring to
spot issues before they become
epidemics. Ixia is committed to
making it as hard as possible for
hackers to succeed.
8
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
SECTION
03
TOP 5 SECURITY
THREAT INSIGHTS
FROM 2018
2018 included a mixture of exploits, including
some new, as well as many which we had seen
before often modified to incorporate more
known, unpatched vulnerabilities.
9
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report
From the attacks observed, we can
draw five major conclusions about
the state of security threats in 2018:
1. Software
security cause the
majority of product
vulnerabilities
2. Humans are the
5. Crypto-jacking
weakest link: We
activity reached new
click lots of avoidable
peaks in 2018: This
phishing and malware
threat continues to
links
grow
4. Security vulnerability 3. Cyber hygiene
disclosures are a is at an all-time
double-edged sword: low: Vendors and
Both hackers and IT need to clean
vendors benefit up their act
10
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report1. Software Security Flaws Cause the
Majority of Product Vulnerabilities
Software security flaws contributed to a record
number of security incidents in 2018. We saw more
new devices than ever before, but we also saw more
devices designed and deployed without proper
measures to stop, or even limit, threats.
This was especially true for web applications, where
bad actors succeeded by exploiting well-understood
SQL injection and cross-site scripting vulnerabilities.
The use of these two web attack vectors covers the full
range of attack delivery, from common spam attacks
to automated remote exploitation – the act of taking
control of vulnerable servers on a global scale.
Zero-day exploits gave hackers an advantage over
IT security teams, who struggled to stay ahead of
constant vulnerability disclosures. Some open source
organizations attempted to proactively mitigate
vulnerabilities by standardizing security controls and
measures inside commonly used web development
frameworks. However, code fragmentation makes it
difficult for these central improvements to address the
widespread problem.
11
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportCode sharing carries other risks, too. For example,
a recent study 1 examined code fragments on the
popular coding site Stack Overflow. The study found
that many Stack Overflow answers contain security
vulnerabilities. Developers need to ensure they
validate all code for common security design flaws.
To solve this problem, web developers and system
architects must be educated on security best
practices. Until developers embrace software design
best practices, attackers will continue to exploit these
vectors, sometimes at scale and with substantial
consequences, as in the case of Equifax.
Recent examples of exploits that resulted from poor
software security practices included:
• Android debugging
• Apache Struts
• Cisco Smart Install
As Gabriel Cirlig explained in a 2018 blog post 2 ,
numerous Android devices have debugging that is
either turned on by default or enabled by unaware
users. This leads to thousands of devices with their
root access exposed on the internet. The Trinity
malware took advantage of this product weakness and
deployed crypto miners into many of these devices.
1. https://laurent22.github.io/so-injections
2. https://www.ixiacom.com/company/blog/trinity-p2p-
malware-over-adb
12
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportBut how long can software vulnerabilities follow you?
Figure 1 provides insight to this question. The Trinity
malware exposed the Android root vulnerability in
the summer of 2018, yet attacker interest continued
months later, with Ixia honeypots seeing thousands of
attempted attacks daily in December 2018.
The Apache Struts product security weaknesses (CVE-
2018-11776) also continued to plague the internet.
The vulnerabilities are similar to those observed in
2017, which resulted in the highly publicized Equifax
hack that exposed sensitive data of 143 million
people.1 These vulnerabilities put thousands of web
applications at risk. Bad actors exploited these
weaknesses, using Cryptojacking scripts to infect
servers and compromise devices, infecting the devices
with crypto mining malware.
1. https://www.bugcrowd.com/threat-report-apache-struts-
cve-2018-11776/
But how long can software
vulnerabilities follow you?
14,000
8,000
2,000
DECEMBER 1-31, 2018
Figure 1. Trinity malware uptick in December 2018
13
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report4,000
3,000
2,000
1,000
0
APRIL - DECEMBER, 2018
Figure 2. Cisco Smart Install attack attempts in December 2018
Cisco devices were also targets of this type of exploit
in 2018. Cisco’s Smart Install feature, designed to
provide simple configuration of new devices inside
a network, provided the attack vector. Nearly two
years earlier, researchers documented the security
vulnerability and observed an exploit tool known
as SIET1 in the wild. In 2018, new vulnerabilities in
devices supporting the protocol revived interest in
the exploit. Ixia honeypots started seeing thousands
of daily exploit attempts after details of a new
vulnerability came out, as shown in Figure 2.
1. https://github.com/Sab0tag3d/SIET
Recommendation 1:
Buyers should research the common
vulnerabilities database and confirm
fixes with vendors before deploying
new hardware or software upgrades.
The CVE database can help customers
gauge the security track record and
response time of a vendor.
14
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report2. Humans are the Weakest Link
Many recently documented compromises (such as the In 2018, Ixia systems detected 662,618 phishing
John Podesta/U.S. Democratic National Committee pages in the wild, and 8,546,295 pages hosting or
1
hack ) started with a phishing attempt. As any infected by malware. Clearly, exposure reaches far
security researcher can confirm, a well-crafted and beyond organizations with weak perimeter security.
well-timed phishing attempt can confuse even the A successful attack on your infrastructure requires
most tech-savvy expert into making a mistake that only a single errant click on an email or hypertext
leads to a network compromise. An attacker can use call-to-action. While many infected pages that house
the results of a successful phishing attack to execute these attacks are taken down in hours or days, some
an attack and drop malware on the target’s system. malware samples live online for years on abandoned
Once deployed, the attacker can attempt to move websites. One good example is a web page that
toward systems of higher value inside the network. serves an old version of the Cerber ransomware. Ixia
first detected it on November 21, 2017, yet it is still
Security against the human vector requires a
online today. Even though this particular attacker is
combination of the following:
no longer active, the legacy of the malware lives on,
• Educating users about the risks that exist in the wild
infecting anyone that receives a recycled link.
• Detecting and blocking phishing and malware that
try to pass the network edge
• Blocking endpoint infection attempts if a phishing
attack succeeds
• Detecting and blocking lateral movement when
the previous techniques have failed
1. https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a
Recommendation 2:
Humans make mistakes. Even the most highly trained people
can fall prey to phishing attacks. Technological aids or
reminders can help reduce the probability of an attack. For
example, an email program that highlights when an incoming
email looks like potential spam or phishing, or when it is from
an external entity, enables you to pay attention and carefully
scrutinize the URLs contained in the email. Also, tools such as
password managers enable computers to reinforce security
and reduce incidents caused by human error.
15
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report3. Cyber Hygiene is at an
All-time Low
IT product vendors created code or configurations
that caused many successful security breaches
in 2018, but IT operations and security personnel
also shared the blame. Well-known attacks
and attack vectors remain successful because
security personnel did not address architecture
vulnerabilities and apply patches.
This oversight is primarily due to two factors:
ignorance of the latest patches, and challenges
deploying frequent patches in a timely manner.
Both factors leave businesses vulnerable. Many
successful breaches in 2018 did not involve new
versions of malware or attack methods – existing
exploits targeting unpatched vulnerabilities proved
to be very effective again in 2018.
Here are some examples of this type of exploit:
• Persistent brute forcing (public facing systems
that can be brute forced)
• EternalBlue (disclosed in 2017)
• Dahua digital video recorders (a 5-year-old
vulnerability)
• CVE-2009-4140, a web application vulnerability
from 2009
16
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportBrute-force attacks have not let up in their 20th There are multiple solutions to help prevent brute-
year on the internet, and only continue to grow in force attacks:
popularity as devices proliferate. A remote brute- • Utilizing public/private keys for remote
force attack involves repeatedly guessing common administration of servers
usernames and passwords. This type of attack
• Two-factor authentication for remote
often targets an administrative console for a web
administration
application, a remote desktop session, or a listening
service (like Secure Shell or Telnet). These services • One-time-use factory-shipped passwords for
exist on nearly every type of device, from the largest embedded devices (IoT)
assets in the world to millions of small embedded • Disabling remote access until enabled by the
devices found everywhere. IoT endpoints in particular user with a custom password
had many vulnerabilities in this category.
Hackers most frequently attacked Telnet and SSH with
brute-force attacks. IoT-targeting botnets (such as Mirai
and its clones) prefer to target these two protocols.
However, as the graph below shows, any service
employing default or weak credentials is at risk.
Telnet-Brute-force
SSH-Brute-force
MySQL/MSSQL Brute-force
Generic PHP Application
Login Bruteforce
SMTP Authentication Bruteforce
VNC Bruteforce
Others
Figure 3. Top brute-force attacks in 2018
17
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportAnother well-known attack that continues to Mirai and other botnets continue to scan for
proliferate is EternalBlue (CVE-2017-0144). The vulnerabilities that are more than 5 years old, such
infamous WannaCry malware leveraged EternalBlue as Dahua DVRs and video cameras. Many victims
in May 2017. Despite EternalBlue’s age, it continued do not even realize they are affected. Ixia began
to gain momentum in 2018. This vulnerability only tracking Mirai-based bots soon after they started
impacts hosts running Windows 7 or previous spreading. Ixia solutions identify the command and
editions. Bad actors heavily scanned for vulnerable control anomalies, as well as the bots themselves,
systems throughout 2018; the number of scanning based on packet attributes.
attempts for this vulnerability was three times greater
in December 2018 than in January 2018. See the Ixia
data in Figure 4.
5M
4M
3M
2M
1M
0
JANUARY - DECEMBER, 2018
Figure 4. EternalBlue scanning attempts by bad actors in 2018
One victim was a laundromat company.
The botnet would compromise the company’s
internet-connected security cameras, adding them to
the botnet. The cameras would livestream footage of
whatever they pointed at. As the exploit continued,
the traffic would overload system resources. Once
this happened, the cameras would stop working. The
owner would reboot the cameras, and they would
return to factory defaults. The cameras would behave
normally for a few days, and then the cycle would
repeat. The owners were unaware that the equipment
kept failing because of product security design
defects. Instead, they assumed they had purchased a
cheap product with poor reliability.
18
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportWhile a laundromat might seem innocuous, the Figure 5 shows one example of how hackers are still
key point is that the IoT device threat is real. trying to exploit older vulnerabilities in Dahua DVRs.
These devices could be cameras, in-home routers, Equipment that should have been patched or removed
televisions, or millions of other things. Security from the internet remains in place without remediation.
patching requires ongoing investment from both
the vendor and the device owner. If left unpatched,
attackers will discover and exploit these design flaws.
1600
1400
1200
1000
800
600
400
200
0
August 2018 September 2018 October 2018 November 2018 December 2018
Figure 5. Attackers still target Dahua DVR (CVE-2013-6117) exploit from 2013
19
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportAdditional research shows that many hackers The CVE-2009-4140 vulnerability allows complete
are simply opportunists. They try to find as access to a system. Remote authenticated users
many vulnerable older systems as they can. One can execute arbitrary code by uploading a file to the
example is CVE-2009-4140, which demonstrates system. Activity targeting this old vulnerability for
that opportunists will look through the archive of web applications reappeared in Ixia honeypots in
vulnerabilities to try to find exploitable systems 2018, as shown in Figure 6.
running ancient software on the internet. Old
equipment may still be in use or redeployed as a
backup. Older software is less likely to receive patch
updates or intrusion-detection and -prevention
signatures for security threats, increasing risk for
organizations that deploy it.
500
400
300
200
100
0
JANUARY - DECEMBER, 2018
Figure 6. CVE-2009-4140 exploitation continues
Recommedation 3:
Keep your business secure by
reviewing public exploit websites
(like www.mitre.org) to see a list of
common vulnerabilities and apply
the recommended patches and
architectural fixes.
20
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report4. Security Vulnerability Disclosures
are a Double-edged Sword
Vulnerability reporting helps vendors and consumers
identify security flaws. When security engineers
find a zero-day vulnerability, security threat, or other
exploit, sharing information quickly is a common
practice, so that vendors can fix their code and IT
teams can secure their networks. But vulnerability
reporting also informs hackers, who often can
move faster than vendors or enterprise IT. Ixia has
observed more successful security attacks following
the disclosure of new vulnerabilities.
Here are examples of exploits where hackers were
able to move faster than vendors and IT teams:
• Mirai
• Drupalgeddon
• D-Link DSL-2750B remote code execution
vulnerability
21
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportMirai, the botnet that hit the internet in 2016, originally used brute force to target
embedded devices listening on Telnet. Mirai source code was released to open
source communities, spawning many copycat versions that use brute-force SSH
attacks and incorporate multiple other embedded device vulnerabilities to increase
the rate of compromise. Mirai derivatives remain high on the list of active botnets
on the Internet and remain a persistent and evolving threat to embedded Linux
systems. Figure 7 illustrates the ongoing risk from this attack.
50M
40M
30M
20M
10M
0
JANUARY - DECEMBER, 2018
Figure 7. Mirai resurgence in late 2018
22
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportDrupalgeddon, originally referred to as CVE-2014-3704, is a SQL injection
vulnerability that targets the Drupal web framework. Last year, researchers
uncovered and responsibly disclosed similarly dangerous flaws that they dubbed
Drupalgeddon 2 and 3. Drupalgeddon 2 (CVE-2018-7600) was responsibly
disclosed. The researcher warned the development team, giving the team time to
create and issue a patch before the exploit details became public. After private
notification, the researcher released information necessary to exploit each
vulnerability on April 12 and April 25, 2018, respectively. As shown in Figure 8,
exploit attempts quickly followed.
Interest in these two vulnerabilities then waned, mainly because the fast patching
process quickly reduced the number of available targets.
1600
1400
1200
1000
800
600
400
200
0
April 1, 2018 April 15 April 29 May 13 May 27
Figure 8. Drupalgeddon 2 and 3 attack waves start in April
4500
4000
3500
3000
2500
2000
1500
1000
500
0
January 2018 March May July September November
Figure 9. Drupalgeddon 2 and 3 attacks wane after May 2018
23
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report20,000
18,000
16,000
14,000
12,000
10,000
8,000
6,000
4,000
2,000
0
January 2018 March May July Septmber Septmber
Figure 10. D-Link DSL-2750B exploit
On May 25, 2018, a new tool emerged that exploited a
vulnerability in D-Link DSL-2750B routers. Attackers
quickly seized the new tool and attempted to exploit
the vulnerability. Interest peaked in August and
September when newer versions of Mirai clones
attempted to exploit this vulnerability.
Recommedation 4:
Disclosing vulnerability and exploit
information in closed communities
can reduce risk and slow hackers
down, giving application developers
and enterprises an opportunity to
patch defects before hackers create
tools to exploit the vulnerabilities in
the wild.
24
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security Report5. Crypto-jacking Activity Reached
New Peaks in 2018
Ixia predicted the rise of crypto-miners in its 2017
annual security report. Not only did this trend
emerge, but hackers combined multiple classic
attacks to deliver nearly autonomous malware,
capable of spreading internally and building massive
shadow networks dedicated to crypto mining. Ixia
honeypots captured several new exploits that run
an EternalBlue scan and, when successful, deposit a
crypto miner onto the network.
The meteoric rise of cryptocurrency value in 2018
drove a new form of compute resource monetization.
Classic malware tried to find something of value on
a compromised system, often ransoming the data.
With crypto-mining, the compromised system itself
provides value through the mining of cryptocurrencies.
It is easier for bad actors to mine for cryptocurrency
than to ransom or steal something else of value.
Detection poses little risk to the hacker using an
anonymous cryptocurrency. This low-risk, high-reward
environment means that ransomware is no longer the
exploit of choice. Instead, many new exploits now
focus on automating the installation and distribution of
miner malware to as many hosts as possible.
25
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportCloud misconfigurations caused many data breaches
in 2018. In many cases, organizations stored
personally identifiable information (PII) in the clear in
Amazon S3 databases. Plain-text storage, combined
with human errors that exposed the database to
hackers, caused many costly data breaches in 2018.
While human error causes some of these incidents,
others clearly stem from a lack of understanding of
security best practices. Cloud security teams could
benefit from working more closely with their on-
premises IT security teams, leveraging best practices
learned from years of on-premises IT application
deployments. Cloud technology works differently,
but that is no excuse for breach of PII. Your choice of
technology platform will not reduce the fine levied for
breach of personally identifiable data.
Recommedation 5:
Adding network visibility helps you
see when someone or something is
mining cryptocurrencies, so you can
curb such activities.
26
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportSECTION
04
SECURITY WATCH
LIST FOR 2019
Based upon Ixia-collected data and
historical activity, the Ixia ATI team predicts
the following six trends for 2019:
• Abuse of low-value endpoints will escalate
• Brute-force attacks on public-facing
systems and resources will increase
• Cloud architectures create complexity that
increases attack surfaces
• Phishing will continue to evolve. As more
companies begin using similar enterprise
email systems (Office 365, G Suite), better
phishes will help hackers get around
defenses
• Multiphase attacks that use lateral
movement and internal traffic will increase
• Crypto mining/cryptojacking attacks will
increase
27
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportTrend 1: Trend 2:
Abuse of Low-value Brute-force Attacks on
Endpoints will Escalate Public-facing Systems and
Resources Will Increase
Until basic security hygiene improves, hacks like Mirai This attack vector has existed for close to 20 years.
and cryptojacking will continue unabated. With more While solutions exist to eliminate this attack vector, we
devices connecting to the internet every day, the continue to see the same mistakes made repeatedly
number of targets continues to increase — and so will by vendors and IT practitioners. It appears there
the number of victims. will always be a server out there with the username
“root” and the password “password” that a hacker
can exploit. Individuals can prevent attacks on
their systems by changing default credentials, but
only adoption of two-factor and public/private key
authentication will provide a permanent solution.
Brute-force exploits will also increase significantly
for enterprises and carriers with the proliferation of
IoT devices. Many forget, or do not understand, that
these devices ship with default credentials. In addition,
the devices are actively broadcasting — so they can
connect to an internet router and relay data. Attackers
can exploit this mechanism to connect to the IoT
device and take it over.
28
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportTrend 3: Trend 4:
Cloud Architectures Create Phishing Attacks Will Become
Complexity That Increases More Focused During the Next
Attack Surfaces Two Years
On-premises architectures gave security personnel Enterprises invest thousands to train employees to
complete control of their equipment and architecture. recognize phishing attacks. In response, hackers
Public cloud-based solutions give no control over create better phishes that are less obvious to
server and network architecture. Attacks like victims, and more targeted. Growing Office 365
Spectre (CVE-2017-5753) and CVE-2019-6260 and Google G Suite adoption will help slow down
are just the beginning of the new types of attacks phishing momentum. Both tools provide some
aimed at cloud users and their data. The speed phishing indicators. However, well planned attempts
and dynamic capabilities of public clouds have will get past these newer defenses. Hackers will
unfortunately exposed a new attack vector: service relentlessly attack any system that provides a larger
misconfiguration. Misconfigured services provide potential payoff.
an open gate that hackers and bad actors can walk
through, often with disastrous results.
29
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportTrend 5: Trend 6:
Multiphase Attacks That Use Crypto Mining and
Lateral Movement and Internal Cryptojacking Attacks
Traffic Will Increase will Increase
Malware dwell times can exceed 100 days. Malware For decades, hackers sought to compromise systems,
often goes undetected because command and steal data, and more recently ransom computers. A
control traffic is sporadic, hidden like a needle in a shift has occurred, where new attacks target the
haystack and disguised to look like normal HTTPS systems themselves. Rather than stealing data at
traffic. Many organizations only monitor at ingress rest, attacker use compromised systems for crypto
and egress points in their network. As attacks grow mining. Old unpatched vulnerabilities previously
more sophisticated, we expect detection times will used for ransomware or DDoS networks are easily
continue to grow longer. We also expect attackers exploited to deliver crypto mining software.
to utilize more LAN-to-LAN attacks, hoping to avoid Advanced crypto miners do not depend on classic
detection by abusing the trust of internal traffic. command and control architectures, making
Micro-segmentation can increase visibility, helping them harder to detect and prevent fluctuating
detect and catch lateral movements. cryptocurrency values may slow the growth of mining
networks, but mining will continue to offer financially
attractive incentives to hackers looking to make some
quick money.
30
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportSECTION
05
CONCLUSION
In 2018, we observed important shifts in
the threat landscape. We observed new
malware variants, and new versions of well-
known legacy exploits. We observed many
security breaches due to misconfiguration
errors, and we saw this trend extend further
into cloud-hosted software and services.
Cloud services offer nearly instant access
to a wide variety of scalable platforms
and services, but with that speed comes a
rapidly expanding attack surface, and more
opportunities for human error.
31
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportNetwork complexity continues to rise and attack IT teams can make many improvements to enhance
complexity mirrors the network landscape. Some their security architecture. We recommend that you
attacks die off, while others are reborn as new variants implement these activities now:
year to year. The ever-changing landscape requires • Perform a security patch analysis versus your
vigilance and quick responses from your security team. security control protections
Our research also uncovered data that indicates that • Analyze your public cloud security architecture,
the following six items will pose the most threat to and audit application access policies
enterprises over the coming one to two years. We
• Review password security practices for your IT
suggest that you review your security architecture for
systems and equipment
the following threats:
1. Abuse of low value endpoints will increase Our research shows that basic security hygiene
this year practices could prevent or minimize the impact of many
breaches. Security teams that ignore these practices
2. Brute force attacks will increase on your public
are more likely to suffer a breach.
facing assets
Patch analysis may sound boring, but too often, a
3. Cloud networks are increasing complexity, which
single engineer is responsible for patch maintenance
is increasing attack surfaces
of an application or piece of equipment. If that
4. Phishing attacks will become more focused over engineer leaves the company, responsibility for
the next two years patch maintenance may fall through the cracks. Our
5. Multiphase attacks that use lateral movements data shows that in many cases, year-old unpatched
and internal traffic will increase vulnerabilities allowed exploits to happen.
6. Crypto mining attacks will increase
If you have vulnerable systems that you cannot
immediately patch, do you know whether your
security controls will protect you?
32
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportAnother basic hygiene practice is default password
security. IT professionals should remove factory
default or well-known passwords before devices are
deployed. This mitigates nearly all brute-force attacks
and exploits. Brute-force attacks continue to work,
because IT continues to deploy equipment with default
passwords. Eliminating these passwords would
eliminate this attack vector.
Cloud architectures continue to grow in popularity.
However, security personnel are often not involved
in all aspects of cloud implementations. Enterprises
learned long ago that stateful inspection firewalls and
logs were insufficient to protect against application
level attacks, but many cloud providers offer these
features as standard defenses.
Additional lines of defense
are crucial to protect
applications in the cloud.
33
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportAs noted earlier, the number of data breach incidents
rose in 2018, with more incidents attributed to
misconfigured cloud applications and resources.
Some common cloud security mistakes include
failure to encrypt personally identifiable data,
incorrect data access permissions, and unpatched
code creating vulnerabilities in the application stack.
Cloud technology works differently, but data breach
laws and fines don’t discriminate. We here at Ixia, and
the ATI team, understand these complexities and are
here to help you safely navigate the ever evolving
cyber world.
34
INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION
2019 Ixia Security ReportIxia can help you secure your network, data,
and applications. To learn how network
packet brokers and taps can augment
your security infrastructure to give you the
visibility you need to act fast — ask for a
demo, and we would be happy to show you
what is possible.
Contact us at ixiacom.com
Find us at www.ixiacom.com
915-9331-01-4091 Rev A I © Keysight Technologies, 2019You can also read
